[Snort-users] tag:host

Xin, Qiao qxin at ...17138...
Wed Apr 15 18:54:41 EDT 2015


Hi Al,

Thank for the reply.
I understand tagging will log other traffics between the source and destination IPs.
Can tagging log traffics from a host other than the source IP to the destination IP? Or can it log traffics from the source IP to a host other than the destination IP?

Thanks again?
Qiao


On Apr 15, 2015, at 5:09 PM, Al Lewis (allewi) <allewi at ...589...<mailto:allewi at ...589...>> wrote:

Hello Qiao,

Do you want to just capture "interesting traffic" (alert) or ALL traffic from src and destination after the initial alert as well?

Tagging allows you to log any other traffic between those hosts for a specified time or packet count after the initial alert.

For the logging you have several output formats to choose from.


Section on tagging: http://manual.snort.org/node34.html#SECTION00475000000000000000

Section on logging: http://manual.snort.org/node21.html


Hope this helps!


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Xin, Qiao [mailto:qxin at ...17138...]
Sent: Wednesday, April 15, 2015 1:54 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] tag:host

Hi,

I have a question on how the tag:host works. I have a rule based on the content of the packet as

alert udp $HOME_NET any -> any any (msg:"suspicious traffic--";content:"bad content";nocase; tag:host, 60, packets, dst; classtype:bad-unknown;sid:1000001;rev:0;)

I want to capture traffic of coming from any HOME_NET host to the destination IP in the alert packets.
Will "tag:host" and the "dst" option work?
If it works, in which file will the captured packets by the tag:host be stored?
How can we easily associate the packets captured by the tag:host action with the packets captured by the snort alert?

Thanks,
Qiao
-------------------




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150415/476fc5e0/attachment.html>


More information about the Snort-users mailing list